Laurelai used to live in Fayetteville Arkansas, population 73,000. This is the same town where Andrew Auernheimer (AKA Weev) lived last year and was arrested for the AT&T/iPad email hacking incident.
part of that pastebin doxing was a chat log where Laurelai was discussing the FBI visit she received last week. The FBI was investigating the HBGARY/HBGary Federal hacking incident. She was not arrested but they took her computer and phone for forensic analysis. Laurelai lost her job as a result of the pastebin post including the company where she worked.
Perhaps the greatest threat to Lulzsec is their members history and contacts with other hackers who are now pissed and more than willing to dox them. The following link, posted on Sunday, comes from team poison and probably should be taken with however as many grains of salt as you wish. If true, this may have forced Lulzsec to become non-operational and focus on covering their tracks.
Side note:
I have just been monitoring a twitter spat between teamp0ison and anonymouSabu (sabu). I am not sure if I am watching a sequel to hackers or a playground fight.
I commonly read the comments on various articles for a couple of major newspapers. For the articles that aren't pure tech, I assume that those commenters represent a broad variety of professions and interests. In the last 3 weeks, I have seen a lot of comments related to hacking from people who are clearly not tech oriented. So, I disagree, Lulzsec's choice of high profile targets, immediate public announcements, and media sensationalizing has definitely led to a greater public awareness of computer security. Whether that awareness translates into action to eliminate well known security vulnerabilities is another issue.
As for government organizations, I assure you the Arizona Department of Public Safety is correcting their ridiculously low level of computer security. The password of several members accounts were found out by either a password cracking program trying multiple passwords for each particular account over the internet, or by running a cracking program on the password hash file somehow copied off a server. They should have in place a small limit to login attempts before the account is locked out. In addition, the password hash file should be protected and accessible only to network administrators. At any rate, the base problem was weak passwords. They should have software in place to enforce strong passwords. Microsoft Windows can be configured to do this at varying strengths. A fix is fairly easy for this vulnerability and I'll bet all sorts of law enforcement agencies across the country are looking into this. Arizona's DPS surely didn't think they would be a hacking target. Other government organizations can look at that and say it could just as easily been them.
We don't know how Ryan Cleary was caught and the LEOs don't want us to know. If Tor was fully compromised all of the Lulzsec members would have been caught. I think it is very unlikely that enough Tor nodes were compromised that even one member would have, randomly, been caught. I think it much more likely he made a mistake along with someone who had contact with him deciding to snitch. My point about Tor was that Tor itself was not compromised. I wasn't saying they couldn't be caught even though they were using Tor.
I don't see any point in belittling the, supposed, lack of skills of the guy who was caught. The most experienced hacker will want to write, or use, tools that automate the hacking. Just because someone didn't write the tools they are using doesn't make them stupid, or less dangerous. The fact that these hackers are battling among themselves is something that law enforcement approves of or even enables (e.g Cointelpro).
I definitely have mixed feelings about Lulzsec. They should not have published home addresses of law enforcement agents. The DDOS attack on the CIA public website was pointless. Their choice of targets sometimes seemed to have juvenile motivations. A more dedicated hacktivist would argue that they wasted opportunities by not keeping their hacking successes secret and then monitoring government and corporate websites for useful information to leak.
There were two effects that I see as beneficial from Lulzsec's, high profile, blitzkrieg campaign of hacking. Computer security has been thrust into the public eye far more effectively than from the government's occasional proclamations of the coming apocalypse from cyber-warfare. This effect was so powerful that the average citizen was speculating that last week's United Airlines network crash, which forced many flight cancellations, was due to hacking, even though this was unlikely. This awareness is important a lot of security vulnerabilities are easily fixed. Vulnerabilities that individuals, businesses, and organizations, big and small, usually don't have enough concern about to bother fixing.
The other beneficial effect was a real test of the effectiveness of the Tor onion routing network in preserving anonymity. Lulzsec not only used Tor for the actual hacks but for their IRC chats and twitter proclamations. The FBI has been trying really, really hard to catch them, but tracing them through their network activities was, apparently, a dead end. However, be wary of renewed US efforts to ban anonymity, from the government at least, on the internet.
Re: Re: Re: Those who choose safety over liberty . . .
Being stopped is not the same as being searched. Were you stopped while driving? What agency? Was it a discretionless stop (i.e. was everyone being stopped at a checkpoint)? What types of questions were asked? Did they search you or the car without asking permission?
There are some exceptions apart from the border search exception but without probable cause these are very restrictive.
I have a comment further down about the highways and passenger cars. I didn't include it because I don't think the cars or people in them were physically searched. If I am mistaken, and it is a guess as the news link about it does not have much information, then a lawsuit should be brought to stop the practice.
My point about the bomb was not about the degradation of 4th amendment rights. Rather, it was about how ineffective random but very visible searches would be to stop terrorist attacks.
Maybe it is a matter of semantics here but I will try to clarify my point. When humans get involved in breeding other species they provide an "artificial" selection pressure. I consider this part of the evolution equation. It is co-evolution and part of the system. Cross-breeding, as opposed to genetic modification, is a shotgun approach. While you attempt to select characteristics that humans desire, at the same time there are likely to be other characteristics, unintentionally selected, that make individuals of a species less fit. Even with genetic modification a single introduced gene may be expressed in multiple ways, some of which hinder survival. Humans don't control the entire equation and natural selection, or rather the selection pressures not due to human influence, may override the influence of humans in the long run. This is my point, that the selection pressure from humans is not the whole equation and that characteristics that humans find desirable may themselves reduce an individuals fitness or inadvertently come with other characteristics that reduce fitness.
A small quibble. Selection of a species' characteristics by humans is not survival of the fittest at work. An example is that breeding of crop grains, although leading to a grain crop that is more nutritious or easier to grow can lead to grains that are more susceptible to disease. It is evolution with artificial selection, however, natural selection (survival of the fittest) is still at work. How about bananas? They cannot even reproduce without human intervention. A more extreme example are the "exotic" dog breeds that have peculiar medical problems.
It is not clear from the linked article what kind of search was being done with passenger cars. I suspect they were only using radiation detectors and dogs. It would be problematic for them to even question the driver or passengers in light of the fact that anti-drunk checkpoints have to be announced in advance and that the driver has to be able to avoid the checkpoint after seeing it (or is that only California?). At any rate, what happens if you refuse a search or questioning? Do they force you to turn around and drive back to wherever you got your bomb? It's like saying, at an airport when you refuse a search, that you can't travel to NY but you can go to Seattle.
There are restrictions on the border search exception.
"A search at the border’s functional equivalent is constitutionally valid when:
(1) a reasonable certainty exists that the person or thing crossed the border;
(2) a reasonable certainty exists that there was no change in the object of the search since it crossed the border; and
(3) the search was conducted as soon as practicable after the border crossing.
For the most part, the border search exception is not going to apply to any of the VIPR checkpoints. However, ICE agents can question or detain individuals anywhere in the U.S. to determine, for example, if aliens have a right to be in the U.S. One thing I am sure they cannot do at a VIPR checkpoint is search your laptop or the contents of other electronic devices.
The TSA is using all the powers they have at airports at any of these VIPR checkpoints. This includes search of your any bags, purses etc. and a physical search of you.
Additionally, they are radiation detectors, and explosives detection such as dogs. It would be interesting to know if they ever use drug detecting dogs.
As with the TSA at airports you can always decline to be searched but with the penalty of not being able to ride the train, bus, subway, or trolley. If I had brought my bomb with me I would just come back when the VIPR checkpoint is no longer there. There was even a sign at the entrance to a train station building, during a VIPR checkpoint, warning that you should expect to be searched.
"If you refuse to be screened at any point during the screening process, the Security Officer will deny you entry beyond the screening area. You will not be able to fly."
"That person will have to remain on the premises to be questioned by the TSA and possibly by local law enforcement. Anyone refusing faces fines up to $11,000 and possible arrest."
John Tyner, the "don't touch my junk" guy, refused to be searched and was threatened with a $10,000 fine and a civil lawsuit.
A TSA manager eventually said that if Tyner would not agree to be patted down, he should be escorted from the airport. After a bit of a hassle with American Airlines, Tyner's ticket was refunded, but as he went to leave, he was stopped again by the TSA manager and another man who informed Tyner that should he complete the security check he could be "subject to a civil suit and a $10,000 fine."
I replied that he already had my information in the report that was taken and I asked if I was free to leave. I reminded him that he was now illegally detaining me and that I would not be subject to screening as a condition of leaving the airport. He told me that he was only trying to help (I should note that his demeanor never suggested that he was trying to help. I was clearly being interrogated.), and that no one was forcing me to stay. I asked if tried to leave if he would have the officer arrest me. He again said that no one was forcing me to stay. I looked him in the eye, and said, "then I'm leaving". He replied, "then we'll bring a civil suit against you", to which I said, "you bring that suit" and walked out of the airport.
So, if you enter the security checkpoint and refuse to be searched you can be detained and questioned. Neither the TSA nor a LEO can search you without further probable cause.
Just refusing to be searched is not grounds for arrest. The TSA has made the threat about fines but I don't believe they have ever followed through. Does anyone know what law such a fine would be based on?
That's pretty lame for Microsoft. They should look to Intel's innovative tactics as an example and change the Xbox to use only proprietary memory cards. New, better, faster memory cards that only Microsoft makes. As a bonus to their users, they could offer a free service to transfer game software to the new type of memory cards.
Isn't QA what those old slow software companies used? Modern, web 2.0 companies can't be tied down by that crap. Take a cue from Facebook's motto, "Move fast, break stuff".
Whoa, wait a minute! If you encrypt all your files separately before uploading them, then Dropbox cannot do de-duplication of files on their servers. That would mean they would not only have to charge more to survive but they might as well change their system to have encryption/decryption happen on the clients computer without them knowing the key.
Apparently the CEO is the same guy as the one who filed the patent. His site below for Clever Industries makes him look amazing, incredibly amazing, incredibly unbelievably amazing.
"Companies like yours are the foundation upon which this
nation's economic growth and competitiveness rests."
- Vice President Al Gore
This patent seems like a kitchen sink patent, as in everything including the kitchen sink. It covers, at an overview level, everything dealing with a media distribution system. I think that is why it has so many references to other patents. Given that, it is unclear what parts in the description are supposed to be unique and novel. In other words, what is the core of this patent? I think there is an attempt to be patenting an entire system for media distribution. However, that whole system is not described in detail well enough to see how it works. For example, he describes using multiple network traffic directors as a way of using redundancy to a single point of failure and achieve robustness. However, there is no description whatsoever of how a client request gets routed to a particular network traffic director. This is a major hole if you're attempting to describe a working system.
It appears to me that the core of the patent is the protocol that rests upon either multicast delivery or UDP and provides "reliability". For those who aren't network engineers, reliability in a communication protocol is a way for sender and receiver to know that a packet is missing from a message and allows the sender to re-send the packet until it successfully arrives. This is a client/server protocol and is most definitely not P2P. When the server receives a request it will first attempt to send packets via multicast. If that is not working for whatever reason, packets are sent via unicast UDP. If needed, the clients use a separate "channel" to send NAK (negative acknowledgment) packets back to the server for missing packets. A client can jump in at any time and start receiving packets wherever the stream happens to be, at the moment, within the file. While the server still has active clients at the last packet for the file, it will loop back to the beginning and start over. The data rate is established during the creation of each "channel". However, it is hardly adaptive in comparison to what TCP offers in response to network congestion. Another hole in this protocol which is not addressed at all is how the client knows the size of the entire file. It needs to know this otherwise packets missing at the end of the file will never be detected. He says the packets are serialized but there is no description of any separate protocol header. So, I assume he uses the identification field from the IP header.
I am also struggling to see where this scheme applies to BitTorrent. BitTorrent is most definitely a P2P protocol and does not use multicast. I can only imagine that they are looking at the implementation of a higher level (higher than the transport protocol) protocol which provides reliability. Since TCP provides reliability, you have to look where BitTorrent uses UDP. As far as I know, (I don't use BitTorrent and so haven't looked at the generated traffic) BitTorrent only uses UDP for it's DNA (Delivery Network Accelerator) variant. Although BitTorrent DNA is still P2P, it is in, a sense, a client/server protocol. Everyone who downloads BitTorrent gets a BitTorrent DNA client, but you have to pay to get the server software. I haven't checked the source code (is it available publicly?) but I can't imagine that there is a violation of the 944 patent.
In looking through this patent, I have to agree the flow charts are atrocious. They were done by someone (yes Scott Redmond, I am talking about you) who doesn't know how to do flow charts.
On the post: The End Of LulzSec Is Not The End Of Hactivism
Re: Why jump ship now?
Laurelai used to live in Fayetteville Arkansas, population 73,000. This is the same town where Andrew Auernheimer (AKA Weev) lived last year and was arrested for the AT&T/iPad email hacking incident.
On the post: The End Of LulzSec Is Not The End Of Hactivism
Re: Why jump ship now?
On the post: The End Of LulzSec Is Not The End Of Hactivism
Why jump ship now?
http://pastebin.com/iVujX4TR
gn0sis (nigg, eekdacat, uncommon, kayla, laurelai)
madclown, topiary, avunit, sabu, tflow, joepie91
Side note:
I have just been monitoring a twitter spat between teamp0ison and anonymouSabu (sabu). I am not sure if I am watching a sequel to hackers or a playground fight.
On the post: The End Of LulzSec Is Not The End Of Hactivism
Re: Re: benefits
As for government organizations, I assure you the Arizona Department of Public Safety is correcting their ridiculously low level of computer security. The password of several members accounts were found out by either a password cracking program trying multiple passwords for each particular account over the internet, or by running a cracking program on the password hash file somehow copied off a server. They should have in place a small limit to login attempts before the account is locked out. In addition, the password hash file should be protected and accessible only to network administrators. At any rate, the base problem was weak passwords. They should have software in place to enforce strong passwords. Microsoft Windows can be configured to do this at varying strengths. A fix is fairly easy for this vulnerability and I'll bet all sorts of law enforcement agencies across the country are looking into this. Arizona's DPS surely didn't think they would be a hacking target. Other government organizations can look at that and say it could just as easily been them.
We don't know how Ryan Cleary was caught and the LEOs don't want us to know. If Tor was fully compromised all of the Lulzsec members would have been caught. I think it is very unlikely that enough Tor nodes were compromised that even one member would have, randomly, been caught. I think it much more likely he made a mistake along with someone who had contact with him deciding to snitch. My point about Tor was that Tor itself was not compromised. I wasn't saying they couldn't be caught even though they were using Tor.
I don't see any point in belittling the, supposed, lack of skills of the guy who was caught. The most experienced hacker will want to write, or use, tools that automate the hacking. Just because someone didn't write the tools they are using doesn't make them stupid, or less dangerous. The fact that these hackers are battling among themselves is something that law enforcement approves of or even enables (e.g Cointelpro).
I definitely have mixed feelings about Lulzsec. They should not have published home addresses of law enforcement agents. The DDOS attack on the CIA public website was pointless. Their choice of targets sometimes seemed to have juvenile motivations. A more dedicated hacktivist would argue that they wasted opportunities by not keeping their hacking successes secret and then monitoring government and corporate websites for useful information to leak.
On the post: The End Of LulzSec Is Not The End Of Hactivism
benefits
The other beneficial effect was a real test of the effectiveness of the Tor onion routing network in preserving anonymity. Lulzsec not only used Tor for the actual hacks but for their IRC chats and twitter proclamations. The FBI has been trying really, really hard to catch them, but tracing them through their network activities was, apparently, a dead end. However, be wary of renewed US efforts to ban anonymity, from the government at least, on the internet.
On the post: TSA Takes Security Theater On The Road: Mobile Groping Teams Can Pop Up Anywhere
Re: Re: Re: Those who choose safety over liberty . . .
There are some exceptions apart from the border search exception but without probable cause these are very restrictive.
On the post: TSA Takes Security Theater On The Road: Mobile Groping Teams Can Pop Up Anywhere
Re: Re: Re: Those who choose safety over liberty . . .
http://www.fas.org/sgp/crs/homesec/RL31826.pdf
I have a comment further down about the highways and passenger cars. I didn't include it because I don't think the cars or people in them were physically searched. If I am mistaken, and it is a guess as the news link about it does not have much information, then a lawsuit should be brought to stop the practice.
My point about the bomb was not about the degradation of 4th amendment rights. Rather, it was about how ineffective random but very visible searches would be to stop terrorist attacks.
On the post: Intellectual Property Infringement: That's Why We Have This Rice To Eat Today
Re: Re: survival of the fittest
On the post: Intellectual Property Infringement: That's Why We Have This Rice To Eat Today
survival of the fittest
On the post: TSA Takes Security Theater On The Road: Mobile Groping Teams Can Pop Up Anywhere
Re: 4th Amendment and Travel
On the post: TSA Takes Security Theater On The Road: Mobile Groping Teams Can Pop Up Anywhere
Re: Those who choose safety over liberty . . .
"A search at the border’s functional equivalent is constitutionally valid when:
(1) a reasonable certainty exists that the person or thing crossed the border;
(2) a reasonable certainty exists that there was no change in the object of the search since it crossed the border; and
(3) the search was conducted as soon as practicable after the border crossing.
For the most part, the border search exception is not going to apply to any of the VIPR checkpoints. However, ICE agents can question or detain individuals anywhere in the U.S. to determine, for example, if aliens have a right to be in the U.S. One thing I am sure they cannot do at a VIPR checkpoint is search your laptop or the contents of other electronic devices.
The TSA is using all the powers they have at airports at any of these VIPR checkpoints. This includes search of your any bags, purses etc. and a physical search of you.
Additionally, they are radiation detectors, and explosives detection such as dogs. It would be interesting to know if they ever use drug detecting dogs.
As with the TSA at airports you can always decline to be searched but with the penalty of not being able to ride the train, bus, subway, or trolley. If I had brought my bomb with me I would just come back when the VIPR checkpoint is no longer there. There was even a sign at the entrance to a train station building, during a VIPR checkpoint, warning that you should expect to be searched.
On the post: TSA Takes Security Theater On The Road: Mobile Groping Teams Can Pop Up Anywhere
Re: Re:
http://www.techdirt.com/articles/20110609/22335214647/is-pretending-your-domain-name-has -been-seized-ice-new-rickroll.shtml#c801
On the post: TSA Takes Security Theater On The Road: Mobile Groping Teams Can Pop Up Anywhere
Re:
http://www.techdirt.com/articles/0110609/22335214647/is-pretending-your-domain-name-has- been-seized-ice-new-rickroll.shtml#c801
On the post: TSA Takes Security Theater On The Road: Mobile Groping Teams Can Pop Up Anywhere
Re: Re: Re: GL with that.
"If you refuse to be screened at any point during the screening process, the Security Officer will deny you entry beyond the screening area. You will not be able to fly."
"That person will have to remain on the premises to be questioned by the TSA and possibly by local law enforcement. Anyone refusing faces fines up to $11,000 and possible arrest."
John Tyner, the "don't touch my junk" guy, refused to be searched and was threatened with a $10,000 fine and a civil lawsuit.
A TSA manager eventually said that if Tyner would not agree to be patted down, he should be escorted from the airport. After a bit of a hassle with American Airlines, Tyner's ticket was refunded, but as he went to leave, he was stopped again by the TSA manager and another man who informed Tyner that should he complete the security check he could be "subject to a civil suit and a $10,000 fine."
I replied that he already had my information in the report that was taken and I asked if I was free to leave. I reminded him that he was now illegally detaining me and that I would not be subject to screening as a condition of leaving the airport. He told me that he was only trying to help (I should note that his demeanor never suggested that he was trying to help. I was clearly being interrogated.), and that no one was forcing me to stay. I asked if tried to leave if he would have the officer arrest me. He again said that no one was forcing me to stay. I looked him in the eye, and said, "then I'm leaving". He replied, "then we'll bring a civil suit against you", to which I said, "you bring that suit" and walked out of the airport.
So, if you enter the security checkpoint and refuse to be searched you can be detained and questioned. Neither the TSA nor a LEO can search you without further probable cause.
Just refusing to be searched is not grounds for arrest. The TSA has made the threat about fines but I don't believe they have ever followed through. Does anyone know what law such a fine would be based on?
On the post: Microsoft Still Claiming That It Can Use The DMCA To Block Competing Xbox Accessories
Re: Re: lame tactic
On the post: Microsoft Still Claiming That It Can Use The DMCA To Block Competing Xbox Accessories
lame tactic
On the post: Oops: Dropbox Left All User Accounts Wide Open For Four Hours This Weekend
Re: Not excusable. Period.
On the post: Oops: Dropbox Left All User Accounts Wide Open For Four Hours This Weekend
Re: How about TrueCrypt
On the post: BitTorrent Sued For Patent Infringement
Re: Hmm....interesting...
"Companies like yours are the foundation upon which this
nation's economic growth and competitiveness rests."
- Vice President Al Gore
http://www.scottredmond.com/
http://www.scottredmond.org/
The following article is fairly entertaining.
http://gizmodo.com/5737088/the-greatest-scam-in-tech-scott-redmond-would-like-us-to -clarify
On the post: BitTorrent Sued For Patent Infringement
Re:
It appears to me that the core of the patent is the protocol that rests upon either multicast delivery or UDP and provides "reliability". For those who aren't network engineers, reliability in a communication protocol is a way for sender and receiver to know that a packet is missing from a message and allows the sender to re-send the packet until it successfully arrives. This is a client/server protocol and is most definitely not P2P. When the server receives a request it will first attempt to send packets via multicast. If that is not working for whatever reason, packets are sent via unicast UDP. If needed, the clients use a separate "channel" to send NAK (negative acknowledgment) packets back to the server for missing packets. A client can jump in at any time and start receiving packets wherever the stream happens to be, at the moment, within the file. While the server still has active clients at the last packet for the file, it will loop back to the beginning and start over. The data rate is established during the creation of each "channel". However, it is hardly adaptive in comparison to what TCP offers in response to network congestion. Another hole in this protocol which is not addressed at all is how the client knows the size of the entire file. It needs to know this otherwise packets missing at the end of the file will never be detected. He says the packets are serialized but there is no description of any separate protocol header. So, I assume he uses the identification field from the IP header.
I am also struggling to see where this scheme applies to BitTorrent. BitTorrent is most definitely a P2P protocol and does not use multicast. I can only imagine that they are looking at the implementation of a higher level (higher than the transport protocol) protocol which provides reliability. Since TCP provides reliability, you have to look where BitTorrent uses UDP. As far as I know, (I don't use BitTorrent and so haven't looked at the generated traffic) BitTorrent only uses UDP for it's DNA (Delivery Network Accelerator) variant. Although BitTorrent DNA is still P2P, it is in, a sense, a client/server protocol. Everyone who downloads BitTorrent gets a BitTorrent DNA client, but you have to pay to get the server software. I haven't checked the source code (is it available publicly?) but I can't imagine that there is a violation of the 944 patent.
In looking through this patent, I have to agree the flow charts are atrocious. They were done by someone (yes Scott Redmond, I am talking about you) who doesn't know how to do flow charts.
Next >>